**Microsoft SharePoint Exploited to Hack Multiple Energy Firms**

Hackers have once again turned their attention to exploiting Microsoft's popular collaboration platform, SharePoint, to target large energy firms and steal employee email credentials. According to a new report from Microsoft, multiple organizations in the energy sector were already targeted by the attackers.

The attack begins with a compromised email account being used for initial contact. The hackers send a legitimate-looking email containing a SharePoint link that, when clicked, redirects the victim to a credential-harvesting website. There, they are prompted to log in using their corporate credentials.

Unfortunately, victims who attempt to log in end up sharing their credentials with the attackers, granting them access to real corporate email accounts. The attackers then take steps to establish persistence while hiding from the victims. This includes creating an inbox rule to delete incoming messages and marking emails as read.

The final step involves sending large volumes of new phishing emails to both internal and external contacts, as well as distribution lists. The inboxes are monitored, delivery failure and out-of-office (OOO) emails are deleted, and responses are read and questions are answered to maintain the appearance of legitimacy.

Microsoft has not shared details about the campaign's success or the exact number of organizations targeted, but warns that simply resetting the password will not be enough to remove the attackers. The company notes that the hackers created rules and changed settings that enable persistence even after they are ousted.

"Even if the compromised user's password is reset and sessions are revoked, the attacker can set up persistence methods to sign-in in a controlled manner by tampering with multi-factor authentication (MFA)," Microsoft warns. "For instance, the attacker can add a new MFA policy to sign in with a one-time password (OTP) sent to the attacker's registered mobile number."

To stay safe from such attacks, Microsoft recommends implementing conditional access policies that can trigger alarms if certain conditions are met, in addition to using MFA. Users should also be aware of suspicious emails and links, and not click on them without verifying their authenticity.

**Stay Safe: Tips for Energy Firms**

1. Avoid clicking on suspicious emails or links from unknown sources.
2. Implement conditional access policies to trigger alarms if certain conditions are met.
3. Use multi-factor authentication (MFA) to add an extra layer of security.
4. Regularly review and update passwords, as well as monitor email accounts for suspicious activity.

The latest report serves as a reminder that energy firms must remain vigilant against sophisticated attacks like this one. By staying informed and taking proactive measures, organizations can reduce the risk of falling victim to such cyber threats.